Method and apparatus for enforcing realtime access controls for endpoints

ABSTRACT

The disclosed system includes privileged access management (PAM) appliance that facilitates establishing a session between an accessor device and an endpoint device. Generally, an access application can be pushed to the endpoint device. Once received, the endpoint device can automatically execute the access application. When executed, the access application can connect to the PAM appliance. The PAM appliance can establish the session between the accessor device and the endpoint device.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/133,598 filed Apr. 20, 2016, entitled “METHOD AND APPARATUS FORENFORCING REALTIME ACCESS CONTROLS FOR ENDPOINTS,” which claims priorityfrom U.S. Patent Application Ser. No. 62/150,006 filed Apr. 20, 2015,entitled “METHOD AND APPARATUS FOR ENFORCING REALTIME ACCESS CONTROLSFOR ENDPOINTS,” the entirety of which is incorporated herein byreference.

BACKGROUND OF THE INVENTION

Information systems are some of the most important assets of anorganization. Information systems that store privileged or sensitiveinformation need to be secured with utmost vigilance and care, asexploiting these systems by unauthorized users or entities may result infinancial and business loses.

Various compliance organizations, rules, regulations, and standards arecreated to aid organizations and those who audit them create and enforcepolicies that minimize risk of unauthorized access of importantinformation systems and the data stored on those systems. As part ofthese policies organizations utilize various techniques to control,monitor and report on access to important information system assets.

Traditional solutions include segmenting networks such that onlyentities with access to those networks can access information systemassets deployed in that network. This solution results in overly broadaccess when entities require access only to a particular asset vs. allassets in a network. Other solutions involve setting up login or accesscredentials with various access rights for each system and sharing thosecredentials with only the entities that require access to those systems.Setting up access credentials per asset and attempting to disseminatethat information only to select entities is expensive to coordinate,maintain, and provide accurate audit trail.

Some organizations use a combination of these techniques increasing thecost to organization with marginal improvement in granular accesscontrol and audit reporting.

Based on the foregoing, there is a clear need for approaches thatprovide and enforce real time access controls to sensitive assets thatprovides granular access control, is easy to setup, administer,maintain, use, and audit.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A and 1B are, respectively, diagrams of a system and associatedprocess for providing and enforcing real time access controls, accordingto certain embodiments;

FIG. 2, diagram of policy enforcement by the access control system,according to certain embodiments;

FIG. 3 is a diagram of a system capable of providing client less accesswithin local area network (LAN) as well as remote networks, according toone embodiment;

FIG. 4 is a diagram of the software architecture of the communicationsystem of FIG. 1A, according to one embodiment;

FIG. 5 is a flowchart of a process for providing and enforcing real timeaccess controls, according to one example embodiment;

FIG. 6 is a flowchart of a process for generating and transmittingapproval requests for providing access to accessor devices, according toone example embodiment;

FIGS. 7A-7C are diagrams of example user interfaces used in theprocesses of FIGS. 1-6, according to various embodiments;

FIG. 8 is an exemplary hardware architecture of a remote access andcontrol appliance, according to an exemplary embodiment;

FIG. 9 is a diagram of a computer system that can be used to implementvarious embodiments of the invention; and

FIG. 10 is a diagram of a chip set that can be used to implement variousexemplary embodiments.

DESCRIPTION OF THE PREFERRED EMBODIMENT

An apparatus, method, and software for providing and enforcing realtimeaccess controls to endpoints is described. In the following description,for the purposes of explanation, numerous specific details are set forthin order to provide a thorough understanding of the embodiments of theinvention. It is apparent, however, to one skilled in the art that theembodiments of the invention may be practiced without these specificdetails or with an equivalent arrangement. In other instances,well-known structures and devices are shown in block diagram form inorder to avoid unnecessarily obscuring the embodiments of the invention.

When embodiments are described with respect to a wired network, it iscontemplated that these embodiments have applicability to other networksincluding wireless systems. Similarly when embodiments are describedwith respect to computing devices they have applicability to physical,virtual, mobile, handheld, headless, and graphical devices and systems.

FIGS. 1A and 1B are diagrams, respectively, of a system and associatedprocess for providing and enforcing real time access control toendpoints by accessors, administrators, and approvers, according tocertain embodiments. For purposes of illustration, a communicationsystem 100 (FIG. 1A) is described with respect to providing andenforcing real time access control to a customer network, as facilitatedby a privileged access management appliance (PAM appliance) 101, betweenan endpoint system 103, accessor system 105, approver system 107, andadministrator system 113, thereby enabling, for example, real timeaccess control to resources (including software or applicationsavailable, as well as storage/database and hardware capabilities) of theendpoint system 103. The appliance 101 is further connected to the othersystems through the data network 111. In certain embodiments, thesystems may include the users of each system, such as the user of theendpoint system 103, user accessor of the accessor system 105, userapprover of the approver system 107, administrative user of theadministrator system 113, and agent user of the protocol agent describedunder FIG. 3. According to one embodiment, the appliance 101 can beimplemented as a standalone hardware device; alternatively, theappliance 101 can be virtualized—i.e., virtual appliance. The appliance101 may commonly be referred to as the PAM appliance, network appliance,or just appliance.

In this example, the approver system 107 provides, in certainembodiments, a real time access control for endpoint systems 103 over adata network 111 using the PAM appliance 101. By way of example, thedata network 111 can be an internetwork, such as the global Internet, ora private network. The traffic during a session between the endpointsystem 103 and any accessor system 105 is handled and managed at the PAMappliance 101. In an exemplary embodiment, the PAM appliance 101 ismanaged by an administrator system 113, who can access the PAM appliance101 using a graphical user interface (GUI), such as a web interface. Insome embodiments, the web interface may be replaced with a clientapplication with the same capabilities. Such an application may beautomatically installed or removed from the administrator system 113 andapprover system 107 to provide real time access control to the resourcesof one of a plurality of endpoint systems 103.

The PAM appliance 101 also enables the administrator 113 to changesettings (configuration parameters) on the appliance 101 itself, inaddition to the software it contains. The appliance 101 also providesmanagement functions including the management of accessor access rightsvia the web interface. After physical installation of the PAM appliance101, the administrator 113 may log on to the appliance via the webinterface by using the appliance's public Uniform Resource Locator (URL)address.

As shown, the PAM appliance 101 provides, in certain embodiments, anaccess management and control mechanism that is secure, easy to use,provides granular access controls, and implemented in a turn-keyfashion. For the purposes of illustration, the appliance can be deployedby an organization and accessed by entities that are either internal orexternal to that organization. In certain embodiments, the PAM appliancecan be implemented to accommodate access and approval from mobilesystems and means to contact those mobile systems even when disconnectedfrom PAM appliance.

In the scenario of FIG. 1A, the deployed appliance 101 can serve as aremote access, access control, access management, audit, and reportingsystem for the organization. In one embodiment, the appliance isimplemented according to an onsite deployment model. A hostedSoftware-as-a-Service (Saas) model can also be an offering of thisapproach. In addition, the appliance can be further defined as aphysical or virtual computing system. This can include but not limitedto a server rack-mountable server, non-rack-mountable server, desktopcomputer, laptop computer, and virtual machines.

Additionally, the PAM appliance 101 has the capability of allowingon-demand product use from anywhere in the world. For example, as longas the network appliance is deployed accessible via a public IP address,an accessor 105, approver 107, or administrator 113 can log in his/heraccount via a web interface hosted on the network appliance 101 or use amobile application to connect to and gain access to the appliance or theendpoint as long as the effective policies grant them such access.

In one embodiment, endpoints 103 can also be accessed and controlled byan accessor 105 via agents that handle protocol conversions and bridgedisparate networks, e.g., by acting as proxies or push agents. Inanother embodiment, the accessors 105 may gain access to the PAMappliance via the use of access consoles, and endpoints 103 may beaccessed via use of endpoint clients.

An Access console (i.e., local client, accessor application/client, orweb client) can be downloaded from a web interface for remote access toendpoints 103, request access when needed, monitor ongoing sessions, andverify granted access. Also, an endpoint console (i.e., remote client,endpoint application/client, or web client) can be downloaded fromadministrative interface hosted on the PAM appliance 101—this endpointclient further can be distributed to endpoints to enable them for secureremote access and policy enforcement. In another embodiment theseclients can be downloaded from a third party hosted or Organization'sself-hosted download location or mobile application stores.

The appliance 101, in various embodiments, executes softwareapplications that can receive, handle, manage, and dispatch system ordata messages to and from the Access Consoles and Endpoint Clients via asecure connection (e.g., 256-bit Advance Encryption Standard (AES)Transport Layer Security (TLS)).

As seen in FIG. 1A, an Accessor 105 can access an endpoint 103 via PAMappliance 101. The accessor system 105 is a device attempting to accessendpoint system (or device) 103 or resources of the endpoint system 103through the network. Additionally, an administrator can set and assignpermissions, policies, and access rights. An approver 107 can grant realtime or scheduled access to endpoints to specific accessors either byaccessing a web based management interface hosted on the appliance, orvia an Access console that is connected to the appliance. In someembodiments, the web based management interface may also be interactedwith via email/SMS. The traffic between all systems is handled andmanaged at the appliance. To facilitate broadest reach and to easilywork through firewalls 109 and proxy servers, the system is designedsuch that all connections from the clients are initiated outboundtowards the appliance.

According to one embodiment, the operation of the PAM appliance 101 isdepicted in FIG. 1B. In step 115, the process detects an attempt toestablish (or that a session has been established and is on-going), byan accessor system (or device) 105, an accessing of resources at anendpoint system 103 via the PAM appliance 101. The endpoint system (ordevice) 103 may, in some embodiments, be one of many within a network.Based on access policies assigned to each endpoint system 103, the PAMappliance 101 establishes a session between the endpoint system 103 andthe accessor system 105. Under such a scenario, the PAM appliance 101acts between the endpoint system 103 and the accessor system 105 thusgranting access to the endpoint system 103 once accessibility by theaccessor system 105 is verified by the PAM appliance 101 as described instep 117. In step 119, a determination of whether access is granted ismade, if access was granted, the access is successful, per step 121,however if access was not granted, the accessor system 105 requestsaccess from the PAM appliance 101 which is then acted upon in real timeby an approver at the approver system 107 which can deny or grant accessbased on known information about the accessor at the accessor system105. Steps 123-129, describe certain embodiments where the PAM appliance101 provides a mean to make a request for access to the accessor system105, per step 123. Then in step 125, a request for access is sent by thePAM appliance to an approver system 107 which may be used by anadministrator to real time grant or deny access by the accessor system105. In step 127 the administrator that approves of the access (orapprover) then acts on the request and provides the PAM appliance withtheir decision of whether access is granted or denied, per step 129.

FIG. 2 is a diagram of a system for providing realtime access controlfor remote access, according to certain embodiments. A PAM appliance 101consists of a web server, applications, databases, downloadableinstallers, tools for appliance management, communication mechanisms,means for storing recordings, recording viewers, and self-checkingmechanisms. Web applications are used by Administrators 113 in settingup access policies, assigning those policies to endpoints, accessors,and approvers. Policies can be setup to grant always access, time-basedaccess, always request for access, one-time or multi-instance access andany combination thereof. Policies can also be setup to override certainaccess rights based on location of either the endpoint or the accessor.Additional policies can be configured and assigned to Approvers 107 suchthat they can approve only for certain times, endpoints 103, orduration. Databases are used for storing and retrieving policyinformation, event information, log data, and audit trail.

By way of example, two approaches are described. One approach provides“always access” to an endpoint 103 by an accessor with just anotification to an approver. In this scenario, an accessor using anAccess console, selects the endpoint from a list of endpoints that he orshe has access to and requests access. Since the accessor and theselected endpoint has an “always access” resultant policy, the PAMappliance 101 will establish a session between the endpoint and theaccessor. Once the session is established the accessor's access to theendpoint could potentially be governed by an in-session policy thateither grants or denies access to various tools, commands, credentials,or resources. On successful or unsuccessful session establishment anotification is sent to the approver or an administrator selected systemindicating that the accessor is now accessing an endpoint. Thenotification can be an email, a system log message, syslog event, anSMS, a mobile push notification, a mobile app notification, or a messagein an Access Console that the approver is using.

In another approach, an “always request” policy is assigned to anendpoint. In this scenario, when an accessor attempts to access theendpoint 103, an approval request is sent to the approver. The requestcan be sent to the approver such that he or she can act upon it even ifthey were not actively connected to the PAM appliance 101. Thesemechanisms include but not limited to email, SMS, and mobile pushnotifications. Upon receiving the request the approver 107 can eithergrant or deny access, grant access for a certain duration or time,comment on the request, apply a more restrictive policy to be effectiveon the session or request to be added to the session when the accessorsuccessfully initiates a session with the endpoint.

Accessors 105, Administrators 113, Endpoints 103, and Approvers 107 caneither be internal or external to the organization that owns PAMappliance 101. Access control restrictions can be enforced in anycombination of available permissions, settings, and assignments. As anembodiment an approver can approve an access request only from aparticular accessor for a particular endpoint for a certain duration andonly on a certain day and only approving the request from a desktopcomputer on the internal LAN of the organization. As another embodimentan accessor can access an endpoint without needing an approval but canonly access at a certain time of day for certain duration and can accessonly one certain application on the endpoint while not on the internalnetwork but can access any application while on the internal network ofthe organization.

Notifications and Approval requests carry sufficient information for theapprover to understand the request and take appropriate action. Meansare provided for the administrator 113 to configure and customizeinformation included in these requests based on their organizationpolicies.

As an embodiment at the end of an access session approver receivesanother notification with details of access session including videorecording of the session, comments left by the accessor 105, and auditdetails. As another embodiment this information is sent automatically toan external log aggregation, analysis and auditing application.

FIG. 3 is a diagram illustrating clientless access to endpoints 303while maintaining robust access controls. In addition to policy setting,enforcement, and approval process, this diagram illustrates a system andassociated processes for providing access to endpoints 303 via a PAMappliance 101 as an agent or a proxy, according to certain embodiments.In this embodiment endpoint 303 access application is pushed to anendpoint, executed, and connected back to the accessor via PAM appliance101. Push action can be achieved either directly from PAM appliance 101or via the means of a Protocol Agent 311. In one embodiment ProtocolAgent 311 pushes and automatically executes an endpoint client on anendpoint on behalf of the appliance. In another embodiment ProtocolAgent 311 converts the access protocol used by the appliance to aprotocol that is used by the endpoint for providing access. In oneembodiment Protocol Agent 311 connects to the end point using RDP andconnects to the PAM appliance 101 using a proprietary protocol. In thisembodiment RDP access is restricted to the endpoints from the publicinternet but since Protocol Agent 311 can connect outbound to theappliance and can connect using RDP inbound to the endpoint on localLAN, Protocol Agent 311 has effectively and securely bridged accessbetween disparate networks and protocols. In other embodiments protocolslike VNC, SSH, and vPro are bridged.

A plurality of Accessors 305 can access the system at any given time.Similarly a plurality of approvers can be available at any given time.While Accessors 305 are in access sessions with endpoints they caninvite other accessors into their session to provide guidance or help.These invites can be sent to either accessors already connected to thesystem or to those that simply setup a means for notification such asSMS or email. Upon receiving an email invite an accessor can join thesame session as the invitee accessor by clicking on a URL, using a code,or launching a pre-existing access console and selecting an invitation.Plurality of accessors can share their screens, collaborate via chat, ortransfer files among them based on policy settings.

FIG. 3 is an illustration of a system capable of providing Pushtechnology within a local area network (LAN) as well as within a remotenetwork, according to an exemplary embodiment. Without the need forpre-installed clients on an end-point system, the Push and Start Systemcan be used by an accessor to transfer an application to an endpoint andexecute the application to establish an access session connection backto the accessor provided sufficient access rights and approvals havebeen granted. The Push functionality provides reach to systems which arevisible from within the network that the accessor's computer isconnected to via a Local Push method and reach to systems within remotenetworks through a Push via a Push Agent mechanism.

In one embodiment, the actual Push of software to the remote computerand its execution can be accomplished via SMB (System Management Bus),Windows RPC (Remote Procedure Calls)/IPC (Inter Process Communication),Unix/Posix RPC, FTP (File Transfer Protocol), SSH (Secure Shell), HTTP(Hypertext Transfer Protocol) or other means.

The system, according to various embodiments, utilizes the followingcomponents (not shown): (1) an access console application; (2) a PushServer—which is what handles the operations in within the appliance; (3)an optional Push Agent; and (4) an endpoint application. It iscontemplated that the Push Agent (e.g., Push Agent) can be anapplication that is installed on a system or alternatively can be astand alone piece of hardware. The Push Server can be an applicationinstalled on an appliance 101 or a system (e.g., endpoint system 303,accessor system 305, or protocol agent 311 of the data network 111) oralternatively can also be a stand alone piece of hardware. The PushServer can also be a piece of software integrated into the clientapplication (e.g., executing on the endpoint system 303) where it servesits purpose within the application in the background.

Furthermore, this Push Agent can be used as an agent for other purposes,such as a connection agent to another server (not shown) in its network(e.g., the network 111) or a second network (e.g., networks 111); thatis, providing a connection to and forwarding of operations via a PushAgent, from the first network to a device of a second network (e.g.,devices 303-309 of the various networks 101) via, for instance, a thirdnetwork.

In this example, an endpoint application resident within a remote accessand control appliance 101 or a Push server (not shown) can be accessedby a endpoint system 303 which is running a client application. Theendpoint client application can be transferred to a remote system inthis network (Local Push) (e.g., other endpoint systems 303 of thevarious networks) by utilizing a ‘Push Agent’ system or protocol agent311. Furthermore, this Protocol Agent 311 can be used as an agent forother purposes, such as a connection agent to another server (not shown)in the second network; that is, providing a connection to and forwardingof operations via a Protocol Agent 311, from a first network to a deviceof a second network.

After the endpoint system 303 is connected to the remote Protocol Agent311 (which resides within an appliance 101 or a computer) via the PushServer, the endpoint system 303 prompts the remote Protocol Agent 311 totransfer an application to a remote computer (e.g., endpoint systems303), which resides outside of the network. In an exemplary embodiment,a Web browser based remote control is available and can perform a pushinstruction from a remote site to a targeted Protocol Agent 311. Uponreceiving a request, the remote Protocol Agent 311 transfers theapplication to a client remote system. In this manner, integrated remoteaccess and control tools enable both efficient remote problem resolutionand critical visibility limitation when deploying application to atargeted client remote system. This also enables a servicerepresentative to efficiently implement application tools and maintainsecurity throughout the enterprise right from the representative's desk.

In an exemplary embodiment, the appliance 101 uses certificate-basedauthentication to establish a persistent connection to the ProtocolAgent 311. When requesting a remote access session on an endpoint system303 via the Push functionality, the appliance 101 ensures that theendpoint system 303 has the right to push the client application to atargeted endpoint system (e.g., remote endpoint system 303). The clientapplication then can be transferred from the Protocol Agent 311 to theremote client system. The accessor system 305 can then establish asession connection to the endpoint's system. In some cases, the sessionconnection traverses one or more firewalls 309 as previously described.

In other embodiments, the appliance 101 uses the Protocol Agent 311 tofurther push an access application to an accessor system 305, forproviding the accessor system 305 with access to the endpoint systems303 through various sessions created on the appliance 101. Where theaccess application is pushed to the access system 305 only after theright to access has been granted or established. Where the accessapplication may also be pushed to other access systems 305 one theiraccess rights have been verified.

FIG. 4 is a diagram of the software architecture of the communicationsystem of FIG. 1, according to an exemplary embodiment. The product datatransfer architecture, in one embodiment, is formed based on a messagehandling and routing system—denoted as a Message Router System (MRS)which includes a collection of MRS modules (i.e., MRSm 401 a). TheMRSm's 401 a, 403 d, and 405 d provide a message routing system thatenables the routing of data within envelopes among the appliance 401,accessor system 403 and endpoint system 405 with, for example, mailboxesas data endpoints. The mailboxes, which can be used for sending andreceiving data, are also responsible for all handling of encoding(creation) and decoding of message envelopes with appropriately designedread and write methods. By way of example, the message envelope caninclude the following fields: a fromRouterID field specifying anidentifier associated with the MRS 401 a, a toRouterAddress fieldspecifying addressing information of the destination routing module.

In addition, the MRS 401 a can communicate with other modules in amanner similar to that described above. By way of example, the MRSm 401a can communicate with the web interface 411, a message manager 401 b, amessage processor module 401 c (includes chat, permission, logging,etc), a present/training 401 d, a secure layer module 401 f (e.g., SSLwrapper module), and a recorder module 401 g. The web interface 411 cancommunicate with other application modules via the MRS 401 a.

In an exemplary embodiment, the web interface 411 includes thefollowing: (1) a network configuration web interface; (2) a User/Adminweb interface which includes but not limited to user profileconfiguration, log reporting interface, and administrative userinterface; ( According to one embodiment, the web interface providesfunctions for configuring the appliance 401 to be deployed andintegrated into the network infrastructure of the installer. In oneembodiment, all other interfaces can communicate through the MRSm 401 aor to a storage module 401 e directly.

For ensuring proper dispatching of system messages received at the MRSm401 a, a message manager 401 b can be used in this exemplary embodiment.These messages can include such data as chat data, session system datalogging, system message posting, and system message queries, etc.

The message processor module 401 c receives system messages from MRSm401 a via the message manager module 401 b. These messages can includesuch data as approval requests, notification requests, approvalresponses, session system data logging, system message posting, systemmessage queries, permissions queries, and storage data retrievals.

The viewer module 401 d is configured to reduce the amount of screenupdate data transmitted from the client-side. In an exemplaryembodiment, the viewer module 401 d includes the following components(not shown): a viewer component, and one or more remote screen imageservers. These servers collect RSI change updates and send them on tothe RSI viewer via the MRSm 401 a. The viewer component receives RSIupdate data from a client-side (remote-side in this case) server via theMRSm 401 a and then sends the data off to the active servers to betransmitted to the appropriate destination. The main stream of RSIupdate data can be transmitted to the appropriate client via the MRSm401 a. Another stream of screen update data is transmitted to therecorder module 401 g to be written into the storage module 401 e.

The SSL module 401 f ensures that the data transfer between theappliance 401 and the accessor and endpoint system (403 and 405) isencrypted, e.g., 256-bit AES SSL encryption over links 417 and 419.

In one embodiment, the remote access and control appliance 401 utilizesan operating system (OS) 401 h that supports a variety of applications.For example, a web server application can run on top of the OS 401 h toprovide web hosting capabilities. The OS 401 h can also support SSL. TheSSL wrapper module 401 f provides SSL over Transmission Control Protocol(TCP) or other network protocols.

As described, in one embodiment, the network appliance utilizes an OS401 h with a web server for providing web hosting capabilities. Therouting and handling module (e.g., MRSm) 401 a, which is a transportlayer atop the OS 401 h, provides various network facilities.Accordingly, MRSm 401 a provides the generic means of transporting datafrom one system to another.

The MRSm 401 a of the network appliance 401 can communicate with theendpoint application of endpoint system 405, and the accessorapplication of the accessor system 403 or another appliance.

Under this example, the accessor system 403 and endpoint system 405include operating systems 403 a, 405 a; backend components 403 b, 405 b;and GUIs 403 c, 405 c. The backend components 403 b of the accessorsystem 403 can include a MRSm 403 d, a message manager module 403 e, anda file transfer manager module 403 f. The module 403 f interfaces with astorage module 403 g, which is configured to store retrieved contentstemming from the operation of the file transfer manager module 403 f.The backend components 403 b also include a RSI manager module 403 h.Yet another module 403 i (i.e., OS interface module), which is integralto the backend components 403 b, provides communication interfaces tothe OS 403 a. As shown, the backend components 405 b of the endpointsystem 405 resemble that of the backend components 403 b of the accessorsystem 403: a MRSm 405 d, a message manager module 405 e, and a filetransfer manager module 405 f, a storage module 405 g, a RSI managermodule 405 h, an OS interface module 405 i.

As for the GUI 403 c, the accessor system 403 can provide a number ofinterfaces depending on the applications. For instance, the GUI 403 ccan include a chat interface 403 j, a file transfer interface 403 k, aqueue interface 403 l, and a viewer 403 m. In this example, the endpointsystem 405 utilizes a chat interface 405 j and a viewer 405 k. The GUI403 c can include other interfaces such as remote command shell, systemdiagnostics, and system information to name a few. The GUI 405 c caninclude application specific chooser interface to only allow specificapplication viewing.

As explained with respect to the operation of the network appliance 401,the MRSm 403 d is the medium for handling all messages coming to theaccessor application 421 and all messages sent from the accessorapplication 421. The MRSm 403 d communicates with the message manager403 e, a RSI manager 403 h, and the file-transfer manager modules 403 f.The system messages, session data, and chat data are delivered to themessage manager module 403 e. The MRSm 403 d sends, as well as receives,system/control messages and RSI update data to and from the RSI managermodule 403 h. The MRSm 403 d interacts with the file-transfer manager403 f in sending and receiving system messages and file-transfer data.

The file-transfer manager 403 f handles all remote-to-local andlocal-to-remote (i.e. between the accessor system and the endpointsystem) reading and writing of files. The system messages andfile-transfer data are received and sent through the MRSm 403 d.Notably, the file-transfer interface module 403 k on the GUI component403 c receives data from the MRSm 403 d and sends all data directly tothe MRSm 403 d. Assuming the permissions to the endpoint file systemaccess have been granted, the processes and steps involved intransferring a file from accessor storage 403 g to the endpoint storage405 g include an initiation of a file transfer from the file-transferGUI, a system command message sent to the MRSm 403 d. MRSm 403 ddelivers the command to the file-transfer manager module 403 f toexecute on constructing the data to be sent to MRSm 405 d of theendpoint system 405 via the MRSm 403 d. A system notification message isdelivered to the message manager 403 e via MRSm 403 d to be displayed inthe chat GUI 403 j after being delivered there by the message manager403 e. The processes and steps involved in transferring a file from theendpoint to the accessor include an initiation from the file-transferGUI 405 k, a system command message sent to the file-transfer manager405 f via the endpoint MRSm 405 d. The file-transfer manager 405 fconstructs a proper remote file transfer request, which is then sentthrough the endpoint MRSm 405 d to the accessor MRSm 403 d through theMRSm 401 a on the appliance. The accessor MRSm 403 d receives therequest command, delivering it to the remote file-transfer manager 403f, which in turn, receives the file system data requested to betransmitted back to the endpoint MRSm 405 d by the accessor MRSm 403 dthrough the MRSm 401 a on the appliance. The accessor MRS 403 d deliversthe file system data received from the endpoint MRS 405 d to thefile-transfer manager 403 f for processing and storing in the local filesystem storage 403 g. Also, a system notification message as well as afile-transfer GUI refresh command is delivered to the file-transfer GUI403 k via the dispatcher 403 e from the MRS 403 d.

The RSI manager modules 403 h and 405 h, in one embodiment, includes thefollowing components: a RSI updater, which “paints” the RSI viewer GUIs403 m and 405 k with RSI screen update data; RSI server, which utilizesthe OS Communication Interface modules 403 i and 405 i. The OScommunication interface modules 403 i and 405 i interfaces with the OSsystem 403 a and 405 a for detecting and listening for screen and systemupdates, collecting these updates, and packaging and encoding theseupdates into data to be then sent to the viewing system via therespective MRSm's.

The RSI manager modules 403 h and 405 h can also provide the capabilityof reverse viewing. In this mode, the viewing of the remote system isreversed to being viewed by the remote system.

The network appliance 401 also permit support representatives to predictand lower the total cost of ownership (TCO) vis-à-vis the ASP model, inwhich the support representatives are typically charged a monthly fee.With the network appliance 401, representatives can predict their budgetwithout monthly fees, surcharges or overages.

FIG. 5 is a flowchart of a process for providing and enforcing real timeaccess controls, according to one example embodiment.

In step 501, the PAM appliance 101 detects an attempt to access anendpoint device 103 by an accessor device 105. In some embodiments, theendpoint device 103 is one of a plurality of endpoint devices within anetwork, and the PAM appliance 101 manages access rights to theplurality of endpoint devices within the network. In one embodiment, thePAM appliance 101 also manages network traffic among the plurality ofendpoint devices, the accessor device 105, the approver device 107, andother systems of the network (e.g., administrator device 113).

In step 503, the PAM appliance 101 establishes a session between theendpoint device 103 and the accessor device 105 based on an accesspolicy assigned to the endpoint device 103. In one embodiment, theaccess policy specifies access control restrictions, that are enforcedby the PAM appliance 101, using permissions, settings, and/orassignments. These access policies may include temporal, location,and/or resource restrictions as well as restrictions on accessinstances.

In step 505, the PAM appliance 101 transmits a report of the session toan approver device 107 based on the access policy. The report mayinclude access information, audit information, and/or sessioninformation associated with the access to the endpoint device 103, aswell as other session related information (e.g., information associatedto the session between the endpoint 103 and accessor 105). Finally, theapprover device 107 may automatically grant approval based on anapproval policy related to the endpoint device 103, accessor device 105,and/or the network. The approval policy may include temporal, location,devices, and/or resource restrictions as well as restrictions on accessinstances. In one embodiment, the approval policy may also be used todetermine whether a response to a request for access complies with theapproval policy and override the response of an administrator using theapprover device, based on the approval policy.

FIG. 6 is a flowchart of a process for generating and transmittingapproval requests for providing access to accessor devices, according toone example embodiment.

In step 601, the PAM appliance 101 generates an approval request for theaccessor device 105, in order to provide access to the endpoint device103 by the accessor device 105.

In step 603, the PAM appliance 101 then transmits the approval requestto the approver device 107. The approver device 107 may then approve,deny, apply further conditions to access, comment on the request/access(e.g., notify the accessor device 105 of deficiencies, issues, etc.),apply different policies for the session, and/or join the approverdevice 105 to the session, for providing access by the accessor device105 to the endpoint device 103.

FIGS. 7A-7C are diagrams of example user interfaces used in theprocesses of FIGS. 1-6, according to various embodiments. FIG. 7A is anexample user interface for creating access policies according to theapproaches of the various embodiments described herein. In the exampleof FIG. 7A, the policy creation user interface includes fields forspecifying a display name 701, code name 703, and description 705. Theuser interface also includes fields for specifying related accessschedules 707, session notifications 709, and session approvals 711.

FIG. 7B depicts an example user interface for requesting access approvalaccording to the various embodiments described herein. In the example ofFIG. 7B, the access approval user interface identifies the applicablepolicy 701, related policy description 705, and designated approvers711. The user interface also includes fields to specify a reason for theaccess approval request 713 and requested access times 715.

FIG. 7C depicts an example user interface for presenting and monitoringaccess requests initiated according to the various embodiments describedherein. By way of example, the user interface of FIG. 7C presentsinformation regarding active sessions including information on accesspolicies applicable to the sessions and access approval statusinformation. As shown, the active sessions 717 a-d related to aparticular resource or resources (e.g., resource JXNLWS5555). In oneembodiment, a user can select one or more of the active sessions 717 a-dto pin to an active desktop, window, or other user interface element tofacilitate monitoring. In addition, recent or other historical accessinformation related to the resource/resources can be presented (e.g.,previous requests, pending requests, and/or future requests) 719. In oneembodiment, the user interface can also provide for create new requestsfrom new information or from previous requests (e.g., previously deniedrequests).

FIG. 8 is an exemplary hardware architecture of a remote access andcontrol appliance, according to an exemplary embodiment. The networkappliance 101, in one embodiment, comprises various componentinterfaces, including serial and parallel ports 801 and 803, a displayinterface (e.g., an RGB (Red, Green and Blue) port 805), local areanetwork (LAN) ports (e.g., Ethernet ports) 807 and 809, and input deviceports (e.g., PS2) 811 and 813. The network appliance 101 also contains apower regulator 815, internal memory in the form of RAM (Random AccessMemory) 817, one or more processors 819, each which may be a multi-coreprocessor, LEDs (Light Emitting Diodes) 837, reset control 835 and aSATA (Serial Advanced Technology Attachment) storage drive 833.

As mentioned, the network appliance 101, in an exemplary embodiment, canbe a 1U rack-mountable server hardware. However, it is contemplated thatconfigurations other than those illustrated in FIG. 8 can beconstructed, depending on the particular applications. For example,different types of appliances can be designed for different uptimerequirements. With uptime-critical customers, the network appliance 101provides for fail-over redundancies; e.g., use of multiple disk drives827-831, for Fail-over and Hot-Swap capabilities via a RAID (RedundantArray of Independent Disks) controller 821. This configuration of theappliance 101 can also be equipped with a backup AC-DC (AlternatingCurrent-Direct Current) regulator 823, which can be triggered when themain regulator 815 is detected as non-functional. Alternatively, fornon-uptime-critical customers, the network appliance 101 can beconfigured without the additional hardware and/or software required forproviding redundancies.

As earlier described, the network appliance 101, in an exemplaryembodiment, can be a virtual appliance. Such software appliance can berun in a virtual environment. For instance, an image of the operatingsystem and base software application can be installed on a virtualmachine. Virtualization provides an abstraction layer that separates theoperating system from the hardware, as to permit resource sharing. Inthis matter, different virtual machines (using heterogeneous operatingsystems) can co-exist on the same hardware platform.

The processes described herein for providing secure, on-demand remotesupport may be implemented via software, hardware (e.g., generalprocessor, Digital Signal Processing (DSP) chip, an Application SpecificIntegrated Circuit (ASIC), Field Programmable Gate Arrays (FPGAs),etc.), firmware or a combination thereof. Such exemplary hardware forperforming the described functions is detailed below.

FIG. 9 illustrates computing hardware (e.g., computer system) upon whichan embodiment according to the invention can be implemented. Thecomputer system 900 includes a bus 901 or other communication mechanismfor communicating information and a processor 903 coupled to the bus 901for processing information. The computer system 900 also includes mainmemory 905, such as random access memory (RAM) or other dynamic storagedevice, coupled to the bus 901 for storing information and instructionsto be executed by the processor 903. Main memory 905 also can be usedfor storing temporary variables or other intermediate information duringexecution of instructions by the processor 903. The computer system 900may further include a read only memory (ROM) 907 or other static storagedevice coupled to the bus 901 for storing static information andinstructions for the processor 903. A storage device 909, such as amagnetic disk or optical disk, is coupled to the bus 901 forpersistently storing information and instructions.

The computer system 900 may be coupled via the bus 901 to a display 911,such as a cathode ray tube (CRT), liquid crystal display, active matrixdisplay, or plasma display, for displaying information to a computeruser. An input device 913, such as a keyboard including alphanumeric andother keys, is coupled to the bus 901 for communicating information andcommand selections to the processor 903. Another type of user inputdevice is a cursor control 915, such as a mouse, a trackball, or cursordirection keys, for communicating direction information and commandselections to the processor 903 and for controlling cursor movement onthe display 911.

According to an embodiment of the invention, the processes describedherein are performed by the computer system 900, in response to theprocessor 903 executing an arrangement of instructions contained in mainmemory 905. Such instructions can be read into main memory 905 fromanother computer-readable medium, such as the storage device 909.Execution of the arrangement of instructions contained in main memory905 causes the processor 903 to perform the process steps describedherein. One or more processors in a multi-processing arrangement mayalso be employed to execute the instructions contained in main memory905. In alternative embodiments, hard-wired circuitry may be used inplace of or in combination with software instructions to implement theembodiment of the invention. Thus, embodiments of the invention are notlimited to any specific combination of hardware circuitry and software.

The computer system 900 also includes a communication interface 917coupled to bus 901. The communication interface 917 provides a two-waydata communication coupling to a network link 919 connected to a localnetwork 921. For example, the communication interface 917 may be adigital subscriber line (DSL) card or modem, an integrated servicesdigital network (ISDN) card, a cable modem, a telephone modem, or anyother communication interface to provide a data communication connectionto a corresponding type of communication line. As another example,communication interface 917 may be a local area network (LAN) card (e.g.for Ethernet™ or an Asynchronous Transfer Model (ATM) network) toprovide a data communication connection to a compatible LAN. Wirelesslinks can also be implemented. In any such implementation, communicationinterface 917 sends and receives electrical, electromagnetic, or opticalsignals that carry digital data streams representing various types ofinformation. Further, the communication interface 917 can includeperipheral interface devices, such as a Universal Serial Bus (USB)interface, a PCMCIA (Personal Computer Memory Card InternationalAssociation) interface, etc. Although a single communication interface917 is depicted in FIG. 9, multiple communication interfaces can also beemployed.

The network link 919 typically provides data communication through oneor more networks to other data devices. For example, the network link919 may provide a connection through local network 921 to a hostcomputer 923, which has connectivity to a network 925 (e.g. a wide areanetwork (WAN) or the global packet data communication network nowcommonly referred to as the “Internet”) or to data equipment operated bya service provider. The local network 921 and the network 925 both useelectrical, electromagnetic, or optical signals to convey informationand instructions. The signals through the various networks and thesignals on the network link 919 and through the communication interface917, which communicate digital data with the computer system 900, areexemplary forms of carrier waves bearing the information andinstructions.

The computer system 900 can send messages and receive data, includingprogram code, through the network(s), the network link 919, and thecommunication interface 917. In the Internet example, a server (notshown) might transmit requested code belonging to an application programfor implementing an embodiment of the invention through the network 925,the local network 921 and the communication interface 917. The processor903 may execute the transmitted code while being received and/or storethe code in the storage device 909, or other non-volatile storage forlater execution. In this manner, the computer system 900 may obtainapplication code in the form of a carrier wave.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to the processor 903 forexecution. Such a medium may take many forms, including but not limitedto non-volatile media, volatile media, and transmission media.Non-volatile media include, for example, optical or magnetic disks, suchas the storage device 909. Volatile media include dynamic memory, suchas main memory 905. Transmission media include coaxial cables, copperwire and fiber optics, including the wires that comprise the bus 901.Transmission media can also take the form of acoustic, optical, orelectromagnetic waves, such as those generated during radio frequency(RF) and infrared (IR) data communications. Common forms ofcomputer-readable media include, for example, a floppy disk, a flexibledisk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM,CDRW, DVD, any other optical medium, punch cards, paper tape, opticalmark sheets, any other physical medium with patterns of holes or otheroptically recognizable indicia, a RAM, a PROM, and EPROM, a FLASH-EPROM,any other memory chip or cartridge, a carrier wave, or any other mediumfrom which a computer can read.

Various forms of computer-readable media may be involved in providinginstructions to a processor for execution. For example, the instructionsfor carrying out at least part of the embodiments of the invention mayinitially be borne on a magnetic disk of a remote computer. In such ascenario, the remote computer loads the instructions into main memoryand sends the instructions over a telephone line using a modem. A modemof a local computer system receives the data on the telephone line anduses an infrared transmitter to convert the data to an infrared signaland transmit the infrared signal to a portable computing device, such asa personal digital assistant (PDA) or a laptop. An infrared detector onthe portable computing device receives the information and instructionsborne by the infrared signal and places the data on a bus. The busconveys the data to main memory, from which a processor retrieves andexecutes the instructions. The instructions received by main meGEmorycan optionally be stored on storage device either before or afterexecution by processor.

FIG. 10 illustrates a chip set 1000 upon which an embodiment of theinvention may be implemented. Chip set 1000 is programmed to present aslideshow as described herein and includes, for instance, the processorand memory components described with respect to FIG. 10 incorporated inone or more physical packages (e.g., chips). By way of example, aphysical package includes an arrangement of one or more materials,components, and/or wires on a structural assembly (e.g., a baseboard) toprovide one or more characteristics such as physical strength,conservation of size, and/or limitation of electrical interaction. It iscontemplated that in certain embodiments the chip set can be implementedin a single chip. Chip set 1000, or a portion thereof, constitutes ameans for performing one or more steps of FIGS. 1B, 5, and 6.

In one embodiment, the chip set 1000 includes a communication mechanismsuch as a bus 1001 for passing information among the components of thechip set 1000. A processor 1003 has connectivity to the bus 1001 toexecute instructions and process information stored in, for example, amemory 1005. The processor 1003 may include one or more processing coreswith each core configured to perform independently. A multi-coreprocessor enables multiprocessing within a single physical package.Examples of a multi-core processor include two, four, eight, or greaternumbers of processing cores. Alternatively or in addition, the processor1003 may include one or more microprocessors configured in tandem viathe bus 1001 to enable independent execution of instructions,pipelining, and multithreading. The processor 1003 may also beaccompanied with one or more specialized components to perform certainprocessing functions and tasks such as one or more digital signalprocessors (DSP) 1007, or one or more application-specific integratedcircuits (ASIC) 1009. A DSP 1007 typically is configured to processreal-world signals (e.g., sound) in real time independently of theprocessor 1003. Similarly, an ASIC 1009 can be configured to performedspecialized functions not easily performed by a general purposedprocessor. Other specialized components to aid in performing theinventive functions described herein include one or more fieldprogrammable gate arrays (FPGA) (not shown), one or more controllers(not shown), or one or more other special-purpose computer chips.

The processor 1003 and accompanying components have connectivity to thememory 1005 via the bus 1001. The memory 1005 includes both dynamicmemory (e.g., RAM, magnetic disk, writable optical disk, etc.) andstatic memory (e.g., ROM, CD-ROM, etc.) for storing executableinstructions that when executed perform the inventive steps describedherein to presenting a slideshow via a set-top box. The memory 1005 alsostores the data associated with or generated by the execution of theinventive steps.

While the invention has been described in connection with a number ofembodiments and implementations, the invention is not so limited butcovers various obvious modifications and equivalent arrangements, whichfall within the purview of the appended claims.

1. (canceled)
 2. A privileged access management (PAM) apparatuscomprising at least one computing device, the at least one computingdevice configured to: push an access application to an endpoint device,wherein the access application is automatically executed by the endpointdevice; receive a request to connect from the access application; andestablish a session between an accessor device and the accessapplication executed by the endpoint device.
 3. The PAM apparatus ofclaim 2, wherein the at least one computing device is further configuredto push the access application to the endpoint device based on at leastone of: a system management bus, a remote procedure call, inter processcommunications, a file transfer protocol, a secure shell, or a hypertexttransfer protocol.
 4. The PAM apparatus of claim 2, wherein the at leastone computing device is further configured to receive an initial requestfrom the accessor device to access the endpoint device, wherein theaccess application is pushed to the endpoint device in response toreceiving the initial request.
 5. The PAM apparatus of claim 2, whereinthe at least one computing device is further configured to: receive asecond request from a second accessor device to access a second endpointdevice; push another access application to the second endpoint device;receive a third request to connect from the other access application;and establish a second session between the second accessor device andthe second endpoint device.
 6. The PAM apparatus of claim 2, wherein theendpoint device excludes a pre-installed access client.
 7. The PAMapparatus of claim 2, wherein the at least one computing device isfurther configured to execute a push service to handle operations forpushing the access application to the endpoint device.
 8. The PAMapparatus of claim 2, wherein the at least one computing device isfurther configured to manage access rights to the endpoint device.
 9. Amethod comprising: sending an access application to an endpoint device,wherein the access application is automatically executed by the endpointdevice; receiving a request for connection from the access application;and establishing, via the access application, a session between anaccessor device and the endpoint device.
 10. The method of claim 9,wherein sending the access application to the endpoint device isperformed by a protocol agent on behalf of a privileged accessmanagement (PAM) appliance.
 11. The method of claim 10, wherein theprotocol agent communicates with the endpoint device on a local networkand communicates with the PAM appliance on a wide-area network.
 12. Themethod of claim 9, wherein the session is based on an access policyassigned to the endpoint device.
 13. The method of claim 12, wherein aPAM appliance establishes the session and the method further comprisesmanaging, via the PAM appliance, access rights to a plurality ofendpoint devices including the endpoint device and respective accesssession traffic.
 14. The method of claim 9, further comprisingdetermining an in-session policy for the session, wherein the in-sessionpolicy grants or denies access to at least one of: a tool, a command, acredentials, or a resource for the endpoint.
 15. The method of claim 9,wherein sending the access application to the endpoint device isperformed by the accessor device.
 16. A system comprising: a data storecomprising an access application; an endpoint device; and a privilegedaccess management (PAM) appliance in communication with the endpointdevice and the data store, the PAM appliance being configured to:retrieve the access application from the data store; push the accessapplication to the endpoint device; receive a request for connectionfrom the access application; and establish a session between an accessordevice and the access application executed by the endpoint device. 17.The system of claim 16, wherein the endpoint device is configured to:receive the access application from the PAM appliance; and in responseto receiving the access application, automatically execute the accessapplication.
 18. The system of claim 16, further comprising a protocolagent in communication via a local area network with the endpointdevice, wherein the access application is pushed to the endpoint devicevia the protocol agent.
 19. The system of claim 16, further comprising aprotocol agent configured to: connect to the endpoint device using afirst protocol via the first network; and connect to the PAM applianceusing a second protocol via a second network.
 20. The system of claim16, further comprising a protocol agent configured to convert an accessprotocol used by the PAM appliance to another protocol used by theendpoint device.
 21. The system of claim 16, wherein the PAM applianceis further configured to establish a persistent connection to a protocolagent based on a certificate based authentication.